Recommendation Dashboard

The Inter-American Foundation Chief Information Officer remediate vulnerabilities in the network identified by the Office of Inspector General's contractor, as appropriate, and document the results or document acceptance of the risks of those vulnerabilities.

The Inter-American Foundation Chief Information Officer establish in writing patch time frame requirements to make sure known vulnerabilities are remediated.

The Inter-American Foundation Chief Information Officer implement a written process to review the virtual private network device configuration and to either disable nonessential and insecure services or document acceptance of the risks.

The Inter-American Foundation Chief Information Officer document and implement audit and accountability procedures to include monitoring, reviewing, and analyzing event logs on a schedule defined by the organization for indications of inappropriate or unusual activity.

The Inter-American Foundation Chief Information Officer document and implement a baseline configuration for the Enterprise Network.

The Inter-American Foundation Chief Information Officer either update the foundation's policies, procedures, and network password settings to ensure compliance with the U. S. Government Configuration Baseline standards or document deviations from those standards in the foundation's Information System Security Program and System Security Plan and document acceptance of the risk.

The Inter-American Foundation Chief Information Officer document and implement a process to maintain an up-to-date plan of action and milestones and to implement corrective actions in a timely manner.

The Inter-American Foundation Chief Information Officer implement a documented process to review and update the Enterprise Network System Security Plan annually or as significant system changes
occur to make sure the security requirements and controls for the system are documented adequately and reflect the current operating environment of the information system.

USAID/Morocco revise the memorandum of understanding with the Direction Generale des Collectivites Locales to reactivate and formalize the existence of the steering committee, and define its role and agenda.

USAID/Morocco perform a data quality assessment for activities under the Democracy and Governance Program in accordance with USAID requirements and document the results.

USAID/Morocco review its active awards portfolio to identify awards missing the required antitrafficking and environmental language, and implement a plan to include the missing language in future amendments to these awards.

USAID/Morocco require RTI International to include the required antitrafficking and environmental language in all active subawards.

The Overseas Private Investment Corporation Chief Information Officer develop, document, and implement National Institute of Standards and Technology-approved configuration baselines for the following software platforms utilized by OPICNet: Windows Server (all versions, Microsoft SQL Server (all versions), Oracle 9, Microsoft Internet Information Server.

The Overseas Private Investment Corporation Chief Information Officer conduct configuration baseline monitoring of the following software platforms in accordance with organizational policies and procedures and document the results: Windows Server (all versions), Microsoft SQL Server (all versions, Oracle 9, Microsoft Internet Information Server.

The Overseas Private Investment Corporation Chief Information Officer document and implement procedures to confirm that: Guest accounts are used as specified in organizational policies and procedures. Accounts inactive for more than 30 days are disabled. Temporary accounts are disabled or removed after 48 hours unless otherwise noted. Terminated individuals' accounts are removed or disabled within a Corporation-specified time frame upon departure. User accounts are disabled properly or removed upon the account expiration date. Account recertifications are conducted at least annually.

The Overseas Private Investment Corporation Chief Information Officer implement audit tools that effectively capture and report all auditable events as required by the Corporation's policies and procedures, and document the results, including: Successful and unsuccessful account logon events, Account management events, Object access, Policy change, Privilege functions, Process tracking, System events, Remote access sessions.

The Overseas Private Investment Corporation Chief Information Officer create a written plan of action and milestones item to track the remediation and establishment of an alternate processing site.

The Overseas Private Investment Corporation Chief Information Officer establish and approve an appropriate written agreement with an alternate processing site to permit the resumption of information system operations for critical mission/business functions when the primary processing capabilities are unavailable in accordance with National Institute of Standards and Technology requirements.

The Overseas Private Investment Corporation Chief Information Officer complete planned corrective actions for OPIC Network to confirm that the plan of action and milestones items for the following are remediated in a timely manner, or perform an appropriate acceptance of risk, and document the results: External access permitted to internal hosts; Insecure Outlook Web access; Unenforced policy (firewalls, demilitarized zone, Internet access content filtering); Unpatchable systems (APPX); Several vulnerabilities and misconfigurations were identified on publicly facing devices.

The Overseas Private Investment Corporation Chief Information Officer implement a written process to confirm that users complete initial security awareness training before they are granted access to the Corporation's network in accordance with OPIC Information System Security Policy, Version 1.0 (ISSP-2013-v1), section 7.3, Awareness and Training.

The Overseas Private Investment Corporation Chief Information Officer revise its OPIC Information System Security Policy to require annual role-based security training in accordance with National Institute of Standards and Technology requirements.

The Overseas Private Investment Corporation Chief Information Officer implement a written role-based security training course for users with significant security responsibilities.

The Overseas Private Investment Corporation Chief Information Officer fully implement procedures to confirm that the System for Awards Management and E2 Solutions system interconnections have been reviewed for appropriate implementation of external agencies' security controls and document the results.

Overseas Private Investment Corporation Chief Information Officer: Define and document information security risk tolerance consistent with the organizational risk tolerance. Implement written procedures to ensure future riskbased decisions are made taking into account the Corporation's defined information security risk tolerance.

The Overseas Private Investment Corporation Chief Information Officer document and implement procedures to confirm that all users sign the Corporation's rules of behavior prior to being granted access to OPIC Network.

The Overseas Private Investment Corporation Chief Information Officer include in the written plan of action and milestones an estimate of funding resources required to resolve weaknesses, as required by Office of Management and Budget Memorandum 02-01.

USAID/Afghanistan complete and implement a plan for sustaining the benefits derived from the Kandahar Helmand Power Project.

USAID/Afghanistan ascertain and document Black & Veatch's compliance with the Kandahar Helmand Power Project's final amended initial environmental examination.

USAID/Afghanistan determine the allowability
and recover, as appropriate, questioned costs of $164,157 in first- and business-class travel that were identified in Black & Veatch's invoices for the Kandahar Helmand Power Project.

USAID/El Salvador review the Regional Program for the Management of Aquatic Resources and Economic Alternatives contract and implement a plan for the completion of the program's objectives and targets, or terminate activities that cannot be completed and adjust the payment of the fixed fee to reflect actual accomplishments and document their decision.

USAID/El Salvador establish and implement, in conjunction with Chemonics, data collection and review procedures to correct errors identified in this report and to confirm that the data used in reporting progress are accurate.

USAID/El Salvador prepare a written site visit schedule for the remaining contract period.

USAID/El Salvador review the Regional Program for the Management of Aquatic Resources and Economic Alternatives contract, and develop performance indicators and targets for all of the program's expected results.

USAID/El Salvador revise the performance indicators identified in the audit as vague so they represent the intended results clearly and adequately.

USAID/El Salvador require in writing that the contractor provide an annual budget by activity and report on actual expenses compared with that budget.

USAID/El Salvador develop a list and submit all required documents in English to the Development Experience Clearinghouse.

USAID/El Salvador require Chemonics to conduct and document gender case studies as required by the contract.

We recommend that the Millennium Challenge Corporation Chief Information Officer reopen Recommendation 1 in Office of Inspector General Audit Report No. M-000-13-001-P.

We recommend that the Millennium Challenge Corporation Chief Information Officer determine and document why the Corporation's vulnerability management tool is not identifying vulnerabilities identified by the Office of Inspector General's contractor.

After taking final action for Recommendation 2, we recommend that the Millennium Challenge Corporation Chief Information Officer remediate vulnerabilities on the network identified by the Office of Inspector General's contractor as appropriate, or document acceptance of the risks of those vulnerabilities.

We recommend that the Millennium Challenge Corporation Chief Information Officer reopen Recommendation 3 in Office of Inspector General Audit Report No. M-000-13-001-P.

We recommend that the Millennium Challenge Corporation Chief Information Officer implement a written process to review active service accounts that have not logged in over a specified period of time, as defined by the Corporation, or that have never logged into the system to determine whether accounts are necessary.

We recommend that the Millennium Challenge Corporation Chief Information Officer conduct and document a full system authorization for the Millennium Challenge Corporation Management Information System in accordance with the Corporation's policy.

We recommend that the Millennium Challenge Corporation Chief Information Officer conduct and document a system reauthorization for MCC Integrated Data Analysis System in accordance with the Corporation's policy.

We recommend that the Millennium Challenge Corporation Chief Information Officer reopen Recommendation 9 in Office of Inspector General Audit Report No. M-000-13-001-P.

We recommend that the Millennium Challenge Corporation Chief Information Officer document and implement audit and accountability procedures to include monitoring, reviewing, and analyzing event logs for indications of inappropriate or unusual activity.

We recommend that the Millennium Challenge Corporation Chief Information Officer document and implement a process to make sure changes are tested and test results are reviewed before the changes are implemented when appropriate.

We recommend that the Millennium Challenge Corporation Chief Information Officer reopen Recommendation 9 in Office of Inspector General Audit Report No. M-000-11-004-P.

We recommend that the Millennium Challenge Corporation Vice President of Administration and Finance document its relationships with its third-party service providers, then take actions to get appropriate agreements in place with them.

We recommend that the Millennium Challenge Corporation Chief Information Officer implement a documented process to make sure the disaster recovery plan is updated annually to reflect lessons learned from the disaster recovery testing.

We recommend that the Millennium Challenge Corporation's Chief Information Officer ask that two-factor authentication, as required by Office of Management and Budget Memorandum M-06-16, be implemented for the Corporation's travel system. If it is not, document the Corporation's acceptance of the risk of not implementing the control as part of the security review of the system and obtain a written waiver from the Office of Management and Budget to exempt the Corporation from implementing two-factor authentication for its travel system.

We recommend that the Millennium Challenge Corporation's Chief Information Officer ask the senior advisory board to make a written determination whether the Corporation should report, track, and monitor its information security program as a material weakness or reportable condition pursuant to the Federal Managers' Financial Integrity Act of 1982.

USAID's Office of Acquisition and Assistance evaluate cost-effective alternatives to the present system of administering and complying with the Defense Base Act insurance program, including the option to self-insure with congressional approval, and document the results.

USAID's Office of Acquisition and Assistance modify its follow-on contract with the selected Defense Base Act insurance provider to place adjustable limits on the amount of overseas employee remuneration used to determine premiums, so that remuneration does not exceed current Department of Labor benefit levels.

USAID's Office of Acquisition and Assistance evaluate and document with USAID management whether to transfer responsibilities for Defense Base Act insurance management to another division within the Office or to a more appropriate USAID Office with expertise in matters related to workers' compensation insurance.

USAID's Office of Acquisition and Assistance issue written guidance to its contracting officers to increase oversight of its contractors and of implementing partners that purchase DBA insurance, including obtaining before contract closeout a copy of the insurance provider's final invoice showing adjusted premium amounts.

USAID's Office of Acquisition and Assistance determine the allowability of $6,586,427 in ineligible questioned costs arising from Defense Base Act insurance premium refunds issued to USAID contracting organizations and recover from them any amounts determined to be unallowable.

USAID/East Africa revise the Somalia due diligence clauses in its development awards to contain a statement on the discretion partners have in establishing their own procedures, direct partners to available guidance, and require submission of a due diligence implementation plan.

USAID's Bureau for Democracy, Conflict and Humanitarian Assistance, in coordination with other stakeholders, document and promote a strategy to standardize and improve due diligence procedures its partners use when implementing humanitarian assistance activities in Somalia.

USAID's Bureau for Democracy, Conflict and Humanitarian Assistance submit a written request to the Department of State to appeal to the Department of the Treasury for an amendment to the license granted by the Office of Foreign Assets Control to allow hiring of third-party monitors in Somalia.

USAID's Chief Information Officer implement formal written procedures for reviewing excessive mobile device charges, including the frequency of those reviews and a determination of whether users should be changed to another mobile device plan with features that accommodated the mobile
needs and/or use alternate solutions to meet Agency mobile needs.

USAID's Chief Information Officer implement formal written procedures for reviewing unused mobile devices with responsible Agency officials. At a minimum, the procedures should include an acceptable level for the number and cost of unused devices and the frequency of the reviews (no less than quarterly).

USAID's Chief Information Officer implement documented procedures for mobile devices that define policy violations and describe monitoring for and reporting on those violations (other than when the device is on the network and violates those policies).

USAID's Chief Information Officer implement documented policies that define the conditions for remotely wiping mobile devices if the device is lost or stolen and is at risk of having its data recovered by an unauthorized individual or entity and for failed password attempts.

USAID's Chief Information Officer implement documented policies that define the conditions for remotely locking devices suspected of being left unlocked in an unsecured location.

USAID's Chief Information Officer implement documented procedures for digitally signing USAID-developed applications.

USAID's Chief Information Officer implement documented procedures that describe how policies will be managed on BlackBerry Enterprise Servers.

USAID's Chief Information Officer implement
documented policies that define which types of mobile devices are permitted to access the Agency's resources.

USAID's Chief Information Officer implement
documented policies that define the degree of access that various classes of mobile devices (e.g., organization-issued devices versus those that are personally owned) can have to Agency resources.

USAID's Chief Information Officer revise Mobile Computing Standards: A Mandatory Reference for ADS Chapter 545 to be consistent with the requirements regarding encryption of information stored on mobile devices in Automated Directives System 545.3.6.6, "Mobile Computing Devices,"
(November 9, 2012).

USAID's Chief Information Officer revise Automated Directives System 549.3.4.3, "Electronic Mail (E-Mail)," to reflect the Agency's current policy regarding e-mail usage for sensitive but unclassified information.

USAID's Chief Information Officer revise the
following documents, as appropriate, to make clear policy statements regarding requirements for antivirus software and firewalls on mobile devices: Automated Directives System 545.3.6.6 "Mobile Computing Devices;" Mobile Computing Standards: A Mandatory Reference for ADS Chapter 545.

USAID's Chief Information Security Officer document a risk assessment for the 'Agency for International Development Network.'

After implementing Recommendation 13, we recommend that USAID's Chief Information Security Officer incorporate necessary updates to the risk assessments for iPads, iPad2s, iPad3s, and iOS 6.

USAID's Chief Information Security Officer include the following plans in the Agency's written plan of action and milestones, as required by National Institute of Standards and Technology's Recommended Security Controls for Federal Information Systems and Organizations:
Establish usage restrictions and implementation guidance for acceptable mobile code and mobile code technologies. Create tools and applications for mobile devices. Develop, test, and document sanitization procedures for mobile devices.

USAID's Chief Information Security Officer either finalize the risk assessment for the Agency's BlackBerry mobile devices or, if the devices will be phased out in the next year, formally document and accept the risk of not completing the risk assessment for them.

USAID's Chief Information Security Officer update the security policy for Agency BlackBerrys if USAID finalizes the risk assessment for Agency BlackBerrys detailed in Recommendation 16.

USAID's Chief Information Security Officer implement and require two-factor authentication for access to Agency e-mail with one factor separate from the device, as required, and document the results.

USAID's Chief Information Officer implement the Agency's strong password policy to unlock iPhones and BlackBerry mobile devices, as required, and document the results.
USAID Did Not Configure Its BlackBerry Mobile

After implementing Recommendation 15, USAID's Chief Information Officer configure the servers for mobile devices to restrict the ability to download applications to the devices, as appropriate.

After implementing Recommendation 20, USAID's Chief Information Officer, remove unapproved applications from Agency mobile devices and document their removal.

USAID's Chief Information Officer implement written procedures to maintain a centralized inventory of mobile devices on a comprehensive basis and require updating it as devices are purchased, exchanged, and returned.

USAID's Chief Information Officer implement written procedures to verify whether mobile devices on the monthly invoices are included in the Office of the Chief Information Officer's inventory and include the investigation of discrepancies.

USAID's Chief Information Officer implement written procedures to review mobile device user agreements for completeness and return all incomplete forms before approving mobile device services.

USAID's Chief Information Officer implement a written records management process to maintain and readily locate Agency user agreement forms for mobile devices.

USAID's Chief Information Officer revise Mobile Device Additional Charge Procedures to designate a time frame by when bureaus and offices must pay for additional charges and remedial action will be
taken for past due additional charges.

USAID/Pakistan implement a funding plan for the Small Grants Program that incorporates ownership from the technical offices.

USAID/Pakistan implement a plan for technical offices to monitor the Small Grants Program for development impact and sustainability.

USAID/Pakistan update its Small Grants Program guidance to comply with Mission Order 300.2, detailing steps for the technical offices to review and approve small grant concept papers and full applications and prescribing time frames for completing each step.